CVE-2026-2953

MEDIUM 5.4

Dromara UJCMS Template WebFileTemplateController.delete deleteDirectory path traversal

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability has been found in Dromara UJCMS 101.2. This issue affects the function deleteDirectory of the file WebFileTemplateController.delete of the component Template Handler. Such manipulation leads to path traversal. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-22
Vendor	dromara
Product	ujcms
Published	Feb 22, 2026
Last Updated	Feb 25, 2026

Stay Ahead of the Next One

Get instant alerts for dromara ujcms

Be the first to know when new medium vulnerabilities affecting dromara ujcms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Dromara / UJCMS

101.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.347319 vuldb.com: https://vuldb.com/?ctiid.347319 vuldb.com: https://vuldb.com/?submit.755215 yuque.com: https://www.yuque.com/la12138/pa2fpb/lxngf3d07uyd0nwp?singleDoc

Credits

🔍 Saul1213 (VulDB User)